Whatever you need to do, you already know there’s an app for that. Unfortunately, though, there is also an app for clicking on ads and pocketing the revenue.

Fake apps and malware have been causing issues with ads for years. 

Click injection and click spamming are two of the most common methods of fraudulently engaging with app-based ads. And some apps even run silently in the background to generate views on videos – for example, the Drainerbot campaign from 2020.

Software development kits (SDK) are often the weak link and can be stuffed with malware elements without the developers’ knowledge. An SDK is a commonly used tool by developers, helping programmers to create software easily. 

Drainerbot leveraged an infected SDK to insert the fraudulent element into genuine apps. 

Read more about how SDK’s are spoofed as part of ad fraud campaigns

But the difference between SDK spoofing and fake app attacks is that fake apps are often intentionally created as part of an elaborate fraud campaign. They usually look like another better-known app or even use the same name, content, or branding as a well-known app.

Examples of fake apps

A famous recent example is a fake Clubhouse app for PC, advertised on Facebook. In this instance, the fake app installed the credential stealing BlackRock malware.

Users were led from the Facebook ad to a fake Clubhouse website where they were shown a ‘Download Now’ button. However, on clicking the button the software downloaded directly from the website not the app store where software is checked and filtered.

This method of bypassing app stores is, in general, how fake apps get installed. Because Apple and Google both have processes to verify if an app is genuine, these fake apps rely on people to download them directly from websites or third party app stores with less security. 

Another method of creating fake apps is simply to copy existing ones. Reportedly, a Russian company released a software program called Net2Share which allowed users to clone software and apps in minutes. The theory being that enterprising thieves could copy someone elses work and make some easy money – pretty shady stuff.

As well as the issue of intellectual property theft, the software also injected a malware element into the copied software which was designed to perform mobile ad fraud. So not just stealing someone else’s work, but also stealing ad revenue too…

As a user, these fake apps can carry out all sorts of sneaky data theft and fraudulent activity. But how does this activity affect business owners and marketers?

One of the most insidious and subtle ways that fake apps impact business owners is via ad fraud. This is the process where an ad which is displayed on an app or webpage is clicked, not by the human user, but by the software itself.

There are several ways this happens:

Click spamming

Each touch on the device is magnified and used to generate clicks on hidden ads or other elements. This is all done without the user’s knowledge, who might simply be playing a game or using a utility tool such as a photo editor. Click spamming is one of the main forms of ad fraud used by fake apps.

Click injection

This form of digital attribution fraud attempts to claim the credit for a genuine app install or other paid download. The theory is that the paid referral is credited to the app developer or website owner. By spamming the app store with clicks, the software claims the credit, which also skews the metrics for advertisers analysing their platforms.

Invisible ads

To perform ad fraud, fake apps can also serve up impressions on display and video ads without the device users knowledge. These invisible ads can be served within a hidden iframe within the app, or using an un-viewable aspect ratio, such as a 1×1 pixel. Even though these ads are imperceptible to the user, they still drain battery power and data usage on the device.


Both fake apps and malware-infected apps can also serve ads via intrusive pop-ups or pop-unders. These may also occur while the app isn’t even running, or after it has been uninstalled, as the viral component is now embedded in the device. Serving ads in this spammy manner can be damaging to the brand (you don’t wanna be associated with spammy ads do you?) and also has a pretty much zero conversion rate.

How much ad revenue is lost to fake apps and malware?

It’s hard to put a figure on the total revenue lost to fake apps and malware. However, research shows that the digital marketing industry loses over $35 billion each year to click fraud and ad fraud.

Read more about click fraud in our guide.

Traffic from fake apps and malware-infected software undoubtedly contributes a large slice of this. 

The problem is that the likes of Google and Facebook don’t look out for this kind of fake click. When dealing with falsified impressions, click spam, and misattribution fraud, Google, Facebook, and the ad platforms aren’t paying attention.

This is why solutions such as ClickCease and CHEQ Paradome have become important tools in the armoury of modern marketers.  

With fake clicks sucking up around 14% of the average marketers budget, anyone serious about maximizing their reach or getting the best ROAS need to be looking at blocking ad fraud.

Paying for ads on Google, Facebook or Bing Ads?

Get a 7 day traffic audit for free with ClickCease.